New ransomware using BitLocker to encrypt data

SMART Estate Security 2024 Information Security, Residential Estate (Industry)

Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. The threat actors remove the recovery options to prevent the files from being restored and use a malicious script with a new feature: it can detect specific Windows versions and enable the BitLocker according to the Windows version.

The incidents with this ransomware, dubbed ‘ShrinkLocker’, and its variants were observed in Mexico, Indonesia, and Jordan. The perpetrators targeted steel and vaccine manufacturing companies and a government entity.

The threat actors are using VBScript – a programming language used to automate tasks on Windows computers – to create a malicious script with previously unreported features to maximise the attack’s damage, the Kaspersky Global Emergency Response team reports. The script’s novelty is that it checks the current version of Windows installed on the system and enables the BitLocker features accordingly. In this way, the script is believed to be able to infect new and legacy systems back to Windows Server 2008.

If the OS version is suitable for the attack, the script alters the boot settings and attempts to encrypt the whole drive using BitLocker. It establishes a new boot partition, essentially setting up a separate section on the computer’s drive containing the files for booting the operating system. This action is aimed at locking the victim out at a later stage. The attackers also deleted the protectors used to secure BitLocker’s encryption key so that the victim could not recover them.

The malicious script then sends information about the system and the encryption key generated on the compromised computer to the threat actor’s server. Afterward, it covers its tracks by deleting logs and various files that serve as hints and help to investigate an attack.

As a final step, malware forces the shutdown of the system - a capability facilitated by the creation and reinstallation of files in a separate boot partition. The victim sees the BitLocker screen with the message: “There are no more BitLocker recovery options on your PC”.

Kaspersky dubbed the script ‘ShrinkLocker’ as this name highlights the critical procedure of partition resizing, which was essential for the attacker to ensure the system booted correctly with the encrypted files.

“What is particularly concerning about this case is that BitLocker, originally designed to mitigate the risks of data theft or exposure, has been repurposed by adversaries for malicious ends. It is a cruel irony that a security measure has been weaponised in this way. For companies using BitLocker, it is crucial to ensure strong passwords and secure storage of recovery keys. Regular backups, kept offline and tested, are also essential safeguards,” explains Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

While Kaspersky’s team could obtain some of the passphrases and fixed values implemented by the threat actor to create the encryption keys, the script includes some variable values, which are different for each affected system, making the decryption process difficult.

The incident’s detailed technical analysis is available at https://securelist.com/ransomware-abuses-bitlocker/112643/.

Recommendations for users

Kaspersky experts recommend the following mitigation measures to prevent attackers from exploiting the feature described in the report:

• Use robust, properly configured security software to detect threats that try to abuse BitLocker. Implement Managed Detection and Response (MDR) to proactively seek out threats.

• Limit user privileges to prevent unauthorised enabling of encryption features or modification of registry keys.

• Enable network traffic logging and monitoring, capturing both GET and POST requests, as infected systems may transmit passwords or keys to attacker domains.

• Monitor for VBScript and PowerShell execution events, saving logged scripts and commands to an external repository for activity retention despite local erasure.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
From the editor's desk: We’ve only just begun
Technews Publishing News & Events
The surveillance market has expanded far beyond the analogue days of just recording and/or monitoring screens. The capabilities of surveillance technology today extend to black screen monitoring with ...

Read more...
The future of the surveillance channel
Duxbury Networking Technews Publishing Elvey Security Technologies SMART Security Solutions Surveillance
The video surveillance market has evolved from camera-based specifications to integrated solutions that solve customers’ problems. Moreover, the growth of AI and cloud has changed the channel even more, with more to come.

Read more...
AI means proactive surveillance
DeepAlert Technews Publishing SMART Security Solutions AI & Data Analytics Surveillance
SMART Security Solutionsasked DeepAlert for some insight into how AI is transforming video surveillance, even to the extent of it being taught to protect the privacy of those in the cameras’ view.

Read more...
The state of the VMS market
Arteco Global Africa Milestone Systems Cathexis Technologies Technews Publishing Surveillance
SMART Security Solutions asked three platform vendors in South Africa, one that is developed and maintained in the country with an international market, for their views on the state of the VMS market and where it is headed.

Read more...
Dahua Summit 2025
Dahua Technology South Africa Technews Publishing SMART Security Solutions Products & Solutions
Dahua Technology South Africa held its annual summit in Johannesburg in early April. The summit focused on highlighting the company’s range of new products and solutions and recognising its regional partners.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...